oversight

Financial Markets: Oversight of Automation Used to Clear and Settle Trades Is Uneven

Published by the Government Accountability Office on 1990-07-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

-..~“-1-         -..-   -..--~       ..--




91II ly I!~!~0
                                                  FINANCIAL
                                                  MARKETS
                                                  Oversight of
                                                  Automation Used to
                                                  Clear and Settle
                                                  Trades Is Uneven



                                                                  141773




_I__--.___                       .-_____-.-~-_.        ---
<;hOjlM’I’E(:-!)O-~7
United States
General Accounting Office
Washington, D.C. 20648

Information Management and
Technology Division

B-238887
July 12, 1990

The Honorable John D. Dingell
Chairman, Committee on Energy
  and Commerce
House of Representatives

The Honorable E (Kika) de la Garza
Chairman, Committee on Agriculture
House of Representatives

The Honorable Henry B. Gonzalez
Chairman, Committee on Banking, Finance
  and Urban Affairs
House of Representatives
The Honorable Patrick J. Leahy
Chairman, Committee on
  Agriculture, Nutrition, and Forestry
United States Senate
The Honorable Donald W. Riegle, Jr.
Chairman, Committee on Banking, Housing,
  and Urban Affairs
United States Senate
This report is a follow-up to the work we did immediately after the
October 1987 market crash.’ It assessesthe role played by federal regu-
lators and financial organizations in developing and maintaining a
strong foundation of oversight for automated systems vital to the post-
trade processingof stock, options, and futures transactions.’ Generally
speaking, post-trade processingactivities-referred to as the clearance
and settlement process- encompasseverything from double-checking
and confirming the terms of a transaction to paying for and delivering
the traded financial instrument. Organizations, commonly referred to as
clearinghouses,clear and settle trades and rely extensively on auto-
mated systems to do so. These automated clearinghouse systems are
essential to the daily processingof transactions worth billions of dollars
and play a critical role in ensuring that market participants receive

‘See Financial Markets: Preliminary Observations on the October 1987 Crash (GAO/GGD-88-38, Jan.
26, 1988).

‘The term “options” is used in this report to mean stock options, not options on futures contracts.



Page 1                    GAO/lMTEG9O-47       Oversight   of Clearinghouses’   Automation   Is Uneven
                   B-233337




                   timely clearance and settlement services.Serious problems with auto-
                   mated systems could disrupt a clearinghouse’soperations severely
                   enough to threaten the integrity and stability of the financial markets.

                   This review includes an assessmentof the automated systems’ oversight
                   role played by the following three federal regulatory agencies-the
                   Securities and Exchange Commission(SEC) for stock and options clear-
                   inghouses,the Commodity Futures Trading Commission(CFTC)for
                   futures clearinghouses,and the Federal ReserveSystem for stock clear-
                   inghousesthat act and are referred to as depositories. We also reviewed
                   certain systems oversight practices used by five major clearinghouses
                   that account for at least 80 percent of the transactions in the stock,
                   options, and futures markets. The five clearinghouseswere the National
                   Securities Clearing Corporation and the Depository Trust Company for
                   stocks; the Options Clearing Corporation for options; and the Board of
                   Trade Clearing Corporation and the Chicago Mercantile Exchange
                   Clearing HouseDivision for futures contracts.

                   Specifically, this report evaluates the level of regulatory oversight pro-
                   vided to automated clearanceand settlement systems (1) at the time
                   clearing organizations register with a regulator seeking authority to per-
                   form clearinghouse functions; (2) when clearing organizations seek regu-
                   latory approval of proposed rules that implement or modify operating
                   policies and procedures; and (3) during periodic regulator inspections or
                   examinations of clearinghouseoperations. In addition, this report
                   assesseswhether clearinghouses’self-review practices include per-
                   forming systems and facilities risk assessments,:1  conducting comprehen-
                   sive internal audit reviews of automated systems and operations, and
                   utilizing annual external audit reviews of clearinghousedata processing.
                   Details of our objectives, scope,and methodology are included in
                   appendix I.


Results in Brief   To maintain orderly and properly functioning markets, automated clear-
                   ance and settlement systems must operate smoothly. In this connection,
                   the automated systems of the five clearinghousesin our review per-
                   formed reasonably well in processingtrades during the October 1987
                   and 1989 market declines. However, given the important role clearing

                   “A risk assessment is an analysis of the weaknesses associated with operating a computer system and
                   its facilities. It is performed to determine how security resources can be cost effectively deployed to
                   minimize potential loss. Such analyses should be conducted prior to approval of a system’s design
                   specifications, whenever a significant installation change occurs, and at periodic intervals established
                   by the organization.



                   Page 2                    GAO/KMTEG9O-47       Overnight   of Clearinghouses’   Automation   Is Uneven
.
    8288887




    organizations play in the financial markets and the extent to which they
    rely on automation, strong systems oversight is neededby the federal
    regulators and the clearinghousesto ensure that these automated clear-
    ance and settlement systems are continuously able to processtrades in a
    prompt and accurate manner.

    We found that the Federal ReserveSystem has established and followed
    reasonableprocedures for overseeingautomated clearinghouse systems.
    Conversely, we found that the primary federal regulatory agencies-SEC
    and cmc-have not established strong oversight practices to help
    ensure that automated clearance and settlement systems provide timely
    and reliable services.Specifically, neither SECnor CFTCperformed tech-
    nical assessmentsof clearinghouse computers during registration, rule
    review, and inspection processes.We also found that SEChas established
    detailed registration standards designedto ensure the soundnessof
    automated clearinghouse systems, but has not enforced one of its stan-
    dards requiring clearinghousesto perform risk assessmentsof their
    automated systems and facilities. CFTChas not issued such systems over-
    sight standards for the futures clearinghouses.In this regard, both regu-
    lators attribute their inadequate level of oversight in this area to having
    insufficient staff with the requisite expertise to review automated sys-
    tems. Since the close of our review, each regulator has taken steps to
    increase its oversight of automated clearinghouse systems.

    SECand CFTCofficials believe their insufficient systems oversight is miti-
    gated by the clearinghouses’oversight of their own systems. However,
    we also found, to varying degrees,gaps in this “self-regulatory” over-
    sight. For example, none of the five clearinghouseswe reviewed per-
    formed formal, fully documented or complete assessmentsof the risks
    associatedwith operating their computer systems and facilities, even
    though three of these clearinghousesare required by SECto do so. In
    addition, one futures clearinghouse we reviewed lacked an internal audit
    function to assessthe clearinghouse’sdata processingoperations and
    controls. Another futures clearinghouse had an internal audit function,
    but lacked staff with the requisite skills to conduct computer system
    reviews.
    Limited federal oversight of these systems, coupled with gaps in the
    self-regulatory oversight provided by the clearinghouses,indicates that
    the regulators and clearinghousesare not doing all they should to detect
    and avoid problems associatedwith operating automated systems. Con-
    sequently, there is increased and unnecessaryrisk that these systems
    will not be consistently able to processtrades promptly and accurately,


    Page 3            GAO/IMTEG90-47   Oversight   of Clearinghouses’   Automation   Is Uneven
             B-233337




             which reducesthe integrity of the nation’s stock, options, and futures
             markets.
             Accordingly, this report contains recommendationsthat (1) SECand CFTC
             increase their oversight of automated clearinghousesystems in the
             stock, options, and futures markets; (2) SIX ensure full compliance with
             its risk assessmentstandard for stock clearinghouses;(3) CIWCestablish
             standards for the futures clearinghousesto follow in implementing com-
             prehensive systems review programs; and (4) CFTCfollow-up to ensure
             that weaknessesat the futures clearinghousesare resolved.

             Clearanceand settlement takes place after trades have been executed on
Background   an exchange.Clearanceinvolves collecting and matching data from
             traders who buy and sell financial instruments. Clearanceis important
             because,after buyers’ and sellers’ trades are successfully matched, they
             are guaranteed by the clearinghouse in the event parties to the transac-
             tions do not honor their financial obligations. Settlement is the process
             whereby the parties to a trade exchangefunds for stock, options, or
             futures contracts.
             Clearinghousesperform the clearance and settlement functions. They
             rely heavily on computers, using them to: (1) receive trade information
             from buyers and sellers via computer-to-computer links; (2) match cer-
             tain information from traders-such as price and quantity-to confirm
             the terms of each trade; (3) calculate the amounts owed by and due to
             the traders and net these amounts to arrive at one total amount traders
             owe or should receive; and (4) transfer, in the caseof stock, these instru-
             ments from the selling traders’ accountsto buying traders’ accounts via
             a computerized book-entry system. Clearinghousecomputers handle on
             a daily basis hundreds of thousands of trades, worth billions of dollars.
             For example, in 1988, the National Securities Clearing Corporation-
             which clears 96 percent of the stock transactions in this country-
             processedon an average daily basis over 250 million shares of stock
             worth approximately $13 billion.
             Three federal agencies- SEC,CFTC,and the Federal ReserveSystem-
             have responsibilities for regulating and overseeingclearinghouse activi-
             ties. Specifically, theSecurities ExchangeAct (16 U.S.C.79a-7811)
             directs SECto overseethe activities of the stock and optionh clearing-
             houses.Under the act, the Federal ReserveSystem serves as the pri-
             mary regulator of a small number of stock depository clearinghouses,
             such as the Depository Trust Company, that are organized and operated


             Page 4             GAO/lMTECBO-47   Oversight   of Clearinghouses’   Automation   Is Uneven
                      as banks. As a result, the Federal ReserveSystem and SECcoordinate
                      their oversight of stock depositories; the Commissiongenerally handles
                      registration and rule reviews while the Federal Reserveinspects deposi-
                      tory operations. For futures contracts, CFTCunder the Commodity
                      Exchange Act (7 U.S.C. 1 et seq.) overseesthe futures clearinghouses.
                      The oversight responsibilities of these three federal regulators includes
                      automated systems to the extent that such systems are used to process
                      the clearance and settlement of stock, options, and futures transactions.
                      In accordancewith these laws, the three federal regulators have estab-
                      lished procedures to overseethe operations of the clearinghouses.The
                      Federal ReserveSystem’s primary means of overseeingthe depositories
                      consists of annual examinations of each depository’s financial and com-
                      puter operations. SECoversight efforts consist primarily of (1) requiring
                      clearinghousesto register with the Commission so that SECcan ensure
                      that each clearinghouse has the capacity to act as such an organization;
                      (2) conducting reviews of proposed operating procedures-called
                      rules-to ensure their consistency with applicable regulations and laws;
                      and (3) inspecting periodically selectedclearinghouse operations and
                      controls to ensure they are efficient, safe, and designedto detect weak-
                      nessesthat could causefinancial loss to the organization, its members,
                      or the public. CFTCoversight primarily includes rule reviews and peri-
                      odic inspections, which are similar in form to those performed by SEC.


                      Active federal oversight of the stock, options, and futures clearing-
Federal Regulators’   houses’use of computers is critical in assessingwhether clearance and
Oversight Is          settlement can be accomplished in a prompt and accurate manner. In
Incomplete            this connection, it would be prudent and consistent with their oversight
                      responsibilities for the regulators to include technical assessmentsof
                      clearinghouse automated resourcesas an integral element in established
                      oversight activities. Such assessmentscould include providing assur-
                      ancesthat (1) systems have the capacity to support timely operations
                      under normal and high-volume conditions; (2) controls are in place to
                      prevent unauthorized accessand the misuse of automated systems;
                      (3) systems are able to provide continuous service in the event of equip-
                      ment and software failures, natural disasters, and intentional malicious
                      acts; and (4) controls are established to ensure that the systems’ hard-
                      ware, software, and communications perform as intended.
                      Results of our review show that regulatory oversight in the above-men-
                      tioned areas is incomplete. While the Federal ReserveSystem includes
                      technical computer assessmentsas part of its examinations of stock


                      Page 5            GAO/IMTEG9047   Oversight   of Clearinghouses’   Automation   Is Uneven
                                                                                                                        ,
                                                                                                                            _*_

                                B-228667




                                depository operations, we found a lack of direct systems oversight pro-
                                vided by SECand CFTCduring their established registrations, rule
                                reviews, and inspections. This inadequate level of SECand CFTCoversight
                                hampers their ability to effectively overseeclearance and settlement in
                                these financial markets.


Registration Process            By law, SECis required to ensure that stock and options clearing organi-
Weaknesses                      zations have the capacity to facilitate the prompt and accurate clear-
                                ance and settlement of securities transactions.-’Our work disclosed,
                                however, that during the registration processSECdoes not directly per-
                                form technical assessmentsof the computer systems the organizations
                                have in place or propose to use. Instead, responsible SECofficials
                                informed us that they rely on (1) written representations provided by
                                the prospective clearinghouse describing the capability of its computer
                                systems, and (2) assessmentsperformed by external, independent audi-
                                tors employed by the clearinghouse to review its operations.

                                We also found CFX does review clearinghouse operations when the Com-
                                mission considers futures exchanges’requests to trade new contracts,
                                and has certain financial standards the clearing organizations must
                                adhere to in order to operate in this capacity. However, the Commission
                                has provided no formal guidance to those organizations detailing the
                                need for management controls over the use of automated systems. CFTC
                                also does not conduct technical assessmentsof the clearinghouses’auto-
                                mated systems prior to authorizing the entities to commenceoperations.


Gaps in SEC’sand CF’TC’s From time to time, clearing organizations submit proposed rule changes
Rule Reviews             to SECand CFTCfor approval, including related processingchanges
                         affecting clearance and settlement systems. Although both SEC and CFTC
                                have established procedures for approving clearing organizations’ pro-
                                posed rule changes,neither organization directly performs technical
                                assessmentsof rules involving the use of automated systems to perform
                                clearance and settlement functions. Rather, SECand CFTCgenerally
                                review the financial and legal consequences,as opposedto the technical
                                ramifications, of using such systems. CFTC,becauseit usesinformation
                                provided by clearinghouse computer systems for regulatory purposes,
                                does perform limited software testing of certain automated systems
                                during rule reviews to ensure the accuracy of the data produced.

                                416 USC. 7&-l(b)(3).




                                Page 6                 GAO/IM’I’EiG9647   Oversight   of Clearinghouses’   Automation   Is Uneven
    .

4
                          B-228887




                          Over the past 3 years, 59 rules (48 by SECand 11 by CFTC)involving
                          computer systems or enhancementshave been approved by SECand CFTC
                          without complete technical assessmentsof the computer-related implica-
                          tions of these rules. The 48 rules approved by SECrepresent over 40
                          percent of the three securities clearinghouses’rules SECprocessedduring
                          this period. The 11 rules approved by CITC account for approximately
                          10 percent of the 2 futures clearinghouses’rules processedby CFTCover
                          this sameperiod. The rules approved by SECinvolved, for example, the
                          use of systems to (1) enhancethe National Securities Clearing Corpora-
                          tion’s trade comparison system, and (2) automate the Depository Trust
                          Company’s processfor settling trades between financial institutions in
                          this country and abroad. The rules approved by CFTC,for example,
                          included the use of automated systems by the Chicago Mercantile
                          Exchange to compare trades upon execution and determine funds
                          required to secure futures contracts. These automated systems and the
                          clearance and settlement processesthey support are critical to the
                          prompt and accurate processingof transactions in these financial
                          markets.


Weaknessesin the          Regarding the extent to which the federal regulators included reviews of
Regulators’ Inspections   computer systems in their inspections, we found that the Federal
                          ReserveSystem assessedcomputer systems, and SECand CFTCdid not.
                          During its past three annual examinations at the Depository Trust Com-
                          pany, the Federal ReserveSystem evaluated the depository’s computer
                          systems in such areas as data integrity, information resourcesmanage-
                          ment, teleprocessing,physical security over systems and programming,
                          computer operations, and contingency and disaster recovery planning.
                          Further, the Federal ReserveSystem examiners also reviewed audits
                          conducted by the depository’s internal audit staff and external indepen-
                          dent auditors to identify possible computer system weaknessesand to
                          assessthe status of corrective actions. Such efforts have helped to
                          strengthen the depository’s data processingactivities.
                          With regard to SECand CFTC,we found that the inspections conducted by
                          the commissionsrarely included automated systems in the scopeof the
                          work performed. Rather, we found that their inspections generally cov-
                          ered areas involving the financial and legal risks associatedwith oper-
                          ating the clearinghouse, such as the adequacy of risk management
                          procedures, the sufficiency of clearing fund contributions, and the
                          appropriateness of procedures for the financial surveillance of clearing-
                          house members.



                          Page 7            GAO/IMTEC-9047   Oversight   of Clearinghouses’   Automation   Is Uneven
                            IS238837




Effect of Incomplete        ResponsibleSECand CFTCofficials stated that their agenciesgenerally
Federal Systems Oversight   exclude computer systems from oversight becausethey lack sufficient
                            staff with the expertise to perform technical assessmentsof these sys-
                            tems. This inadequate federal oversight of the automated systems used
                            by the clearinghousesimpairs their ability to effectively overseeclear-
                            ance and settlement in these three markets. It also increasesthe risk
                            that system weaknesseswill not be consistently detected or will go
                            undetected.

                            We examined clearinghouseoperations to identify whether these organi-
Gaps Exist in the           zations used certain critical managementcontrol practices to overseethe
Clearinghouses’ Self-       use of automated clearance and settlement systems. While oversight
Oversight Efforts           may include numerous steps, we evaluated the following three basic
                            practices: (1) the performance of periodic risk assessmentsof automated
                            data processing(ADP) systems and facilities; (2) the establishment of an
                            adequately and competently staffed internal audit department capable
                            of reviewing computer systems and acting as an independent level of
                            review over the clearinghouse’sinternal accounting controls; and (3) the
                            use of independent external reviews of an organization’s system of
                            internal controls, including a review of general and application controls5
                            During our review, we found that SEC has issued thorough and detailed
                            standards requiring stock and options clearinghousesto institute and
                            maintain such practices over their operations and computer systems.”
                            These standards provide a good framework for clearing organizations to
                            follow in proactively identifying and correcting computer weaknesses.
                            Our review disclosed,however, that the clearinghousesdid not always
                            use these critical managementcontrols. Specifically, table 1 shows the
                            stock, options, and futures clearinghousesin our review and their use or
                            lack of certain managementcontrols over automated systems.




                            “Internal controls used to protect and safeguard computer systems are categorized as general and
                            application controls. General controls are those that are normally applicable to all data processing
                            being performed within an installation. Application controls apply to individual computer systems
                            and are designed to, among other things, ensure the reliability of information to be processed, the
                            accuracy of data input, the integrity of data processing, and the verification and distribution of data
                            output, An evaluation of application controls should be integrated with an evaluation of general con-
                            trols to ensure that weaknesses in general controls do not adversely affect any applications
                            processed.

                            ‘See Securities Exchange Act of 1934 Release No. 16900, June 17,1980, Announcement of Standards
                            for the Registration of Clearing Agencies.



                            Page 8                    GAO/lMTEG9O-47       Oversight   of Clearinghouses’   Automation   Is Uneven
        .


                                            B-238997




Table 1: Stock, Options, and Futures Clearinghouses’ Computer Oversight Practices
                                                                           Critical Systems Oversight Practices
                                                               Internal Audit Function               External Audits
                                             Formal ADP risk                       Has ADP         General         Application
Clearinghouse                                  assessments Function exists        expertise        controls           controls
Stock,. and Options
          ^__. .-._I .- __-. ._. .-- . .-
National Secuntles Cleanng Corporation                    No              Yes            Y&S                       Yes                  Yes
bepo&ory Trust Company                                    No              Yes            Yes                       Yes                  Yes
Optlons Clearing Corporation                              No              Yes            Yes                       Yes                  Yes
Futures
Board of Trade Clearing Corporation
                          --.-_____                       No               No                No                    Yes                   No
Chicago Mercantile Exchange                               No              Yes                No                    Yes                   No




Stock and
St.nrk 2  Options                           As shown in table 1, the stock and options clearinghouseshad, in com-
Clearinghouse Compliance                    pliance with SEC standards, (1) established internal audit functions with
                                            ADPexpertise that conduct clearinghouse computer reviews and
With Critical Oversight                     (2) engagedexternal auditors to perform independent reviews of the
Practices                                   clearinghouses’systems of internal controls, including general and appli-
                                            cation controls. However, we found that none of the clearinghousesper-
                                            formed formal or complete assessmentsof the risks associatedwith
                                            operating their computer systems and facilities. In addition, we found
                                            that SEC did not determine whether these clearinghouseswere per-
                                            forming these ADP assessments.

                                            Stock and options clearinghouse officials informed us that they are com-
                                            fortable with their current ADP risk assessmentprocesses.Specifically,
                                            the Depository Trust Company, which most closely adheresto federal
                                            risk assessmentstandards, reviews ADP risks as part of its day-to-day
                                            operational and audit activities and also performs an annual review of
                                            its financial, operational, and ADP risks. The Options Clearing Corpora-
                                            tion relies primarily on its internal audit department; the department
                                            conducts an assessmentof the company’s audit areas and ranks and
                                            documents them to identify high-risk areas that it plans to review
                                            during the upcoming year. The National Securities Clearing Corporation
                                            informally assesseson an ongoing basis the risks associatedwith using
                                            their computer systems. We found, however, that these clearinghouse
                                            efforts do not always include certain risk assessmentcomponents such
                                            as (1) evaluating all threats and contingenciesclearinghouse systems
                                            and facilities are exposedto; (2) estimating the dollar value of potential
                                            lossesassociatedwith such threats and contingencies;and (3) having a



                                            Page 9              GAO/IMTEG90-47   Oversight    of Clearinghouses’     Automation   Is Uneven
                           formal processfor conducting such assessments,documenting work
                           results, and reporting them to management.


Futures Clearinghouse      Likewise, the futures clearinghousesdid not perform formal risk assess-
Compliance With Critical   ments and also lacked the use of other basic managementcontrol prac-
                           tices. Specifically, the Board of Trade Clearing Corporation does not
Oversight Practices        have an internal audit function, while the Chicago Mercantile
                           Exchange’sinternal audit staff doesnot have the requisite expertise to
                           perform audits of its automated systems. Further, while both futures
                           clearinghouseshad financial audits performed by independent auditors,
                           the scopeof these reviews only covered general controls over their com-
                           puter systems, and excluded reviews of the adequacy of application con-
                           trols. Without assessingapplication controls, clearinghouseshave less
                           assurancethat controls critical to the recording, processing,and
                           reporting of essential data are working.

                           Futures clearinghouseofficials stated that CFTCdoes not require them to
                           adhere to or implement such oversight measuresbut that they do volun-
                           tarily assessADP risks on an informal, ongoing basis without formally
                           documenting work results. Regarding their lack of internal ADP audits,
                           futures clearinghouse officials told us they have other units within their
                           operations perform this function. Specifically, the Chicago Mercantile
                           Exchange has one staff person in its computer operations division that
                           performs audits of computer backup and recovery processes,while the
                           Clearing Corporation usesstaff from its quality assurancefunction to
                           perform reviews of automated systems under development. With regard
                           to external systems reviews, these officials acknowledged that their
                           financial auditors do not review all application controls but noted that
                           they had external auditors perform periodic reviews of selected areas
                           which they believe enablesthem to sustain a strong internal controls
                           environment.


Effect of Incomplete       Without performing complete assessmentsof ADP risks and formalizing
Clearinghouse Systems      the review processfor such assessments,the clearinghouseshave incom-
                           plete assurancethat their managementand boards are receiving the nec-
Oversight                  essary information to select adequate, cost effective controls
                           commensurate with the organizations’ ADP risks. In addition, the futures
              v            clearinghouses’use of computer operations personnel as internal ADP
                           auditors impairs the ability of such staff to act as an independent, objec-
                           tive level of review in evaluating the clearinghouses’automated systems
                           and controls. In this regard, at both futures clearinghousesthe computer


                           Page10            GAO/IMTEG30-47
                                                          Oversightof Clearinghouses’
                                                                                   AutomationIs Uneven
\
                  B-233887




                  operations personnel were not independent of the officials responsible
                  for the operations they reviewed, and the scopeof their work was lim-
                  ited in that it excluded critical data processingareas such as capacity
                  planning and physical security. To be of maximum usefulness,internal
                  auditors should be independent of the officials whose activities they
                  review, and the scopeof their work should extend to all clearinghouse
                  activities and related managementcontrols. Further, the futures clear-
                  inghouses’ practice of using external auditors to review only general
                  controls provides these organizations with limited assurancethat sys-
                  tems and controls are adequate.
                  These existing gaps in the clearinghouses’oversight increase the risk
                  that automated system weaknesseswill not be consistently detected or
                  will go undetected. In this connection, at each of the five clearinghouses
                  in our review, we conducted a limited assessmentand tour of the auto-
                  mated systems and facilities. At four of the clearinghouses,we did not
                  uncover any material problems. However, at one clearinghouse we did
                  identify someweaknessesin such areas as physical security and con-
                  tinuity of operations. These included weak accesscontrols to the com-
                  puter room and a lack of an uninterruptible power supply to the
                  computer room. Weaknessessuch as these reduce the strength of the
                  clearinghouse’ssystem of internal controls. Officials of this organization
                  have already taken action to correct someof the weaknessesand are
                  looking at ways to addressthe others.

                  Proactive oversight by the federal regulators and the clearinghousesis
Conclusions and   essential to (1) assesswhether these systems have sufficient capabilities
Recommendations   and controls in place to processtrades in a prompt and accurate manner,
                  and (2) keep these organizations and their computer systems free of
                  problems, especially during volatile market activity. The limited federal
                  oversight of these systems, coupled with gaps, to varying degrees,in the
                  self-regulatory oversight provided by the clearinghouses,indicates that
                  these parties are not taking all necessarysteps to detect and avoid
                  problems associatedwith operating automated systems. Such actions
                  are critical to ensure these systems will be able to processtrades
                  promptly and accurately, especially during stressful market periods.
                  Accordingly, to strengthen systems oversight in this area, we recom-
                  mend that the chairpersons of SECand CFTCimplement the following
                  actions:




                  Page 11           GAO/IMTEG9047   Oversight   of Clearinghouses’   Automation   Is Uneven
                                                                                                              .
                                                                                                                  <

                          B-238887




                  l Both should allocate the necessaryresourcesto establish the capability
                    to assessthe efficient and safe use of automation in the clearance and
                    settlement process.This capability could be included within the agen-
                    cies’ existing oversight processes,such as inspections and rule reviews.
                  . SECshould strengthen enforcement of its clearinghouseregistration stan-
                    dards by ensuring that clearinghouses,as part of their annual risk man-
                    agement programs, perform risk assessmentsof their automated
                    systems and facilities.
                  . CFTCshould establish regulatory standards for the futures clearing-
                    housesdetailing prudent managementpractices to be used in developing
                    and implementing comprehensiveand thorough systems review pro-
                    grams, and the Commissionshould ensure that the clearinghouses
                    adhere to such guidance.
                    CFE should follow up on the weaknessesidentified at the futures clear-
                      l


                    inghousesto ensure they are satisfactorily resolved.

                          We orally discussedthe contents of this report with senior officials from
Agency Comments and       the three regulatory agenciesand the five clearinghouses.Two regula-
Our Evaluation            tory agencies-s= and cmc-also provided formal written responsesto
                          our report which are contained in appendixes II and III, respectively. As
                          a whole, these eight organizations generally agreed with the facts and
                          contents of our report, and we have incorporated their comments where
                          appropriate. In this regard, CFTCand SEChave recently taken steps to
                          increase their oversight of the automated systems used by the futures
                          and securities clearinghouses.
                          Since the close of our review, CFTCestablished an interagency task force
                          of computer experts in May 1990 to advise the Commissionon how
                          automation assessmentsshould be incorporated into its oversight
                          efforts. This task force will also addressthe need to provide automated
                          systems oversight standards to the futures clearing organizations. Fur-
                          ther, CFTChas recently authorized staff from its Office of Information
                          ResourcesManagement(OIRM) to perform technical assessmentsof auto-
                          mated systems as part of the Commission’sestablished inspections of
                          clearinghouse activities, and OIRMstaff recently began to conduct such
                          reviews. With regard to improved systems oversight by SEC,the Com-
                          mission has established an automation review group and is planning to
                          staff it with personnel with the expertise to provide technical assistance
                          in identifying clearinghouse system weaknessesduring registration, rule
                          review, and inspection processes.




                          Page 12           GAO/lMTEC-90-47   Oversight   of Clearinghouses’   Automation   Is Uneven
We believe the recent initiatives by SECand CFTCrepresent good first
steps in strengthening the commissions’oversight processesfor
reviewing automated systems used by stock, options, and futures clear-
inghouses.However, becausethese initiatives have been recently imple-
mented, it is too early to assesstheir effectiveness.

We are providing copies of this report to other interested members of
Congress,executive branch agencies,and the public. We will also make
copies available to others upon request.
This work was performed under the direction of Howard G. Rhile,
Director, General Government Information Systems,who can be reached
at (202) 2’75-3455.Other major contributors are listed in appendix IV.




Ralph V. Carlone
Assistant Comptroller General




Page 13          GAO/IMTEG90-47   Oversight   of Clearinghouses’   Automation   Is Uneven
Contents


Letter
Appendix I                                                                                                     16
Objectives, Scope,and
Methodology
Appendix II                                                                                                    18
Comments From the
Securities and
Exchange Commission
Appendix III
Comments From the
Commodity Futures
Trading Commission
Appendix IV                                                                                                    24
Major Contributors to
This Report
Table                   Table 1: Stock, Options, and Futures Clearinghouses’                                    9
                            Computer Oversight Practices




                        Abbreviations

                        ADP       automated data processing
                        CFTC      Commodity Futures Trading Commission
                        GAO       General Accounting Office
                        IMTEC     Information Management and Technology Division
                        OIRM      Office of Information ResourcesManagement
                        SEC       Securities and Exchange Commission


                        Page 14          GAO/IMTEGBO-I7   Overnight   of Clearinghouse@’   Automation   Is Uneven
Page 15   GAO/IMTJ3C9O47   Oversight   of Clearinghouses’   Automation   Is Uneven
                                                                                                           .
Appendix I

Objectives,Scope,and Methodology


              We undertook this study to determine the extent of oversight provided
              to computer systems used to clear and settle trades made in the U.S.
              stock, options, and futures markets. Specifically, we assessedthe over-
              sight provided by the federal regulators and clearinghousesto reduce
              the risks associatedwith operating such systems. These topics were
              selected for review for three reasons.First, computers form the back-
              bone of the clearance and settlement processesin that they are essential
              to the orderly clearance and settlement processingof the large number
              of stock, options, and futures trades executed daily in these markets.
              Second,clearance and settlement plays a major role in these markets-
              financial and operational problems in this area during the October 1987
              stock market crash threatened the entire US. financial system,
              according to a presidential task force established to study the event.i
              Third, during our review of the 1987 stock market crash, we found a
              lack of federal oversight of the automated trading systems.
              We conducted our audit work at five clearance and settlement organiza-
              tions: the National Securities Clearing Corporation; the Depository Trust
              Company; the Options Clearing Corporation; the Chicago Mercantile
              Exchange’sClearing House Division; and the Board of Trade Clearing
              Corporation. These organizations were selectedfor review becausethey
              clear and settle a large majority of the stock, options, and futures trans-
              actions in this country.

              The objectives of our review were to assess(1) the role of federal regu-
              lators in reviewing the use of computer systems in the clearance and
              settlement processes,and (2) the adequacy of management control prac-
              tices that the clearinghousesuse to review their own automated clear-
              ance and settlement systems. For our first objective, we determined the
              level of oversight provided by the three federal regulators-SEC, CFTC,
              and the Federal ReserveSystem-in established regulatory and over-
              sight processes:registration, rule reviews, and inspections. We also
              ascertained whether the regulators had issued systems oversight gui-
              dance to the clearinghouses,and if so, whether compliance with such
              guidance was routinely enforced. For our secondobjective, we identified
              three generally acceptedmanagementcontrol practices in order to have
              effective system oversight, and reviewed clearinghouses’operations to
              determine the extent of their compliance. These critical management
              controls are (1) conducting risk assessmentsof computer systems and
              facilities; (2) establishing an internal audit function capable of

               ‘See Presidential Task Force on Market Mechanisms, Report to the President of the United States,
              [Brady Report], Jan. 1988.



              Page 10                  GAO/IMTES90-47       Oversight   of Clearinghouses’   Automation   Is Uneven
    .
,
        Appeudlx I
        Objectlvea, Scope, and Methodology




        reviewing computer systems and controls; and (3) engagingexternal,
        independent reviews of clearinghouse data processingactivities,

        To understand the role that the responsible federal regulators play in
        overseeingautomated clearance and settlement systems, we obtained
        supporting documentation and interviewed federal regulatory officials
        at SEC,CFTC,and the Federal ReserveSystem headquarters to determine
        their responsibilities, including how they review the clearinghouses’use
        of computers. We also held discussionswith those staff at SEC and CFTC
        regional offices in New York and Chicago, and at the Federal Reserve
        Bank in New York, who participate in overseeingthe stock, options, and
        futures clearinghousesincluded in our review. In addition, we reviewed
        the inspections and examinations that the federal regulators performed
        at the clearinghousesover the past 3 years to determine the extent to
        which computer-related areas are included in their oversight.

        During our assessmentof the oversight provided these systems by the
        clearinghouses,we interviewed the organizations’ internal auditors, if
        the entity had such a group, and external certified public accountants.
        We also reviewed the internal and external auditors’ reports to deter-
        mine, among other things, the extent of oversight provided to these sys-
        tems. The audits we reviewed were from the period 1986 to 1988. The
        public accounting firms we met with included Price Waterhouse for the
        National Securities Clearing Corporation and the Depository Trust Com-
        pany; Deloitte Haskins and Sells for the Options Clearing Corporation;
        Arthur Andersen and Company for the Chicago Mercantile Exchange’s
        clearing division; and Touche Rossand Company for the Board of Trade
        Clearing Corporation. In addition, we reviewed and analyzed the clear-
        inghouses’ risk assessments,in those caseswhere they had been per-
        formed, to determine the extent to which the assessmentsaddressedthe
        risks associatedwith their computer systems and facilities used for
        clearance and settlement purposes. We also toured the clearinghouses’
        computer operations centers. Finally, we performed a limited assess-
        ment of the controls used to safeguard the automated systems and facili-
        ties, and interviewed responsible officials concerning the extent of
        oversight afforded these systems.

        Our audit work was performed between November 1988 and February
        1990, and was conducted in accordancewith generally acceptedgovern-
        ment auditing standards.




        Page 17                 GAO/IMTEG90-47   Oversight   of Clearinghouses’   Automation   Is Uneven
                                                                                                                  t
Appe ndix II                                                                                                          4

CommentsFrom the Securitiesand
ExchangeCommission


                                                    UNITED   STATES
                                 SECURITIES      AND    EXCHANGE          COMMISSION
                                              WASHINGTON.     DC.     20549




                                                                      May 29, 1990

               Ralph V. Carlona
               Assistant  Comptroller General
               General Government Programs
               General Accounting Office
               441 G Street, N.W.
               Washington, D.C. 20548
                      Re:    Draft Report on Automation                   Used to Clear and Settle
                             Trades
               Dear   Mr.   Carlone:
                       This is in response to a request for comments on a report
                ("ReportO*) of the General Accounting Office (llGAOII) entitled
                      oved Oversiaht Needed for Automation Used to Clear and
               $%le      Tradea. Generally,           the Report finds that the automated
               systems     of the five clearinghouses         under review performed
               satisfactorily          in processing trades during the October 1987 and
               1989 market declines.            The Report also notes that the
               Securities       and Exchange Commission's (llSEC" or "Commission")
               thorough and detailed           registration   standards provide a good
               framework for clearing organizations              to follow in proactively
               identifying        and correcting      computer weaknesses. We expect that
               rigorous enforcement of these standards, in conjunction                     with
               recent    initiatives       by the SEC in the area of automation, will
               enhance our ability           to oversee clearinghouse       automated data
               processing ("ADP") systems and will further                increase the safety
               and efficiency         of these systems. Nevertheless,           the Report
               contains a number of recommendations of additional                   actions
               which the GAObelieves the SEC or securities                  self-regulatory
               organizations         (llSROs'l) should take to detect and avoid problems
               associated with operating ADP systems.
                      As it relates   to the Commission, the Report recommends
               that the Commission perform directly           technical   assessments of
               clearinghouse     computer systems during established
               registrations,     rule reviews, and inspections.          In reviewing an
               application    for registration       as a clearing    agency, the Division
               of Market Regulation       ("DivisionI')   applies the requirements of
               the Securities     Exchange Act of 1934 as well as the regulatory




                Page 18                GAO/IMTEG90-47        Oversight        of Clearinghouses’   Automation   Is Uneven
       Appendix II
       Comments From the Securlties   and
       Exchange 0xnmJssion




Ralph V. Carlone
Page 2
 standarda referred to in the Report. u                   These standards
 require,     among other things, that the clearing agency have an
 internal     audit department adequately staffed with qualified
 personnel.        In addition to sufficient          technical      training      and
 proficiency       in accounting and auditing,           qualified       personnel
 must     possess expertise       in the ADP application           of accounting and
 auditing     necessary       to perform the internal        audit functions.            It
 is the responsibility           of this department to act as a separate
 level of control in reviewing and evaluating                    the clearing
 agency’s     system of internal        accounting control,          which includes
 ensuring the integrity           and accuracy of its ADP operations,                 both
 during development and thereafter,               In addition,         the standards
 require an annual opinion report prepared by an independent
 public accountant based on a study and evaluation                       of the
 clearing     agency's system of internal           accounting control for the
 period since the last such report.               As the Report notes,             the
 stock and options clearing agencies have established                        internal
 audit functions         and have engaged independent accountants to
 review the adequacy of their systems of internal                      controls,
 including      general and application        controls,       in compliance with
 SEC standards.          Indeed, the standards clearly             contemplate that
 technical      assessments be conducted by internal                and external
 auditors,      not the SEC. We question,           therefore,       whether it is
 an efficient        allocation     of resources to devote SEC staff to
 performing a third technical            assessment when at least two other
,entities      (one of which is independent) are charged with
 performing this function.             Moreover, as a general practice,                in
 ;zt;=fT;ion     with registrations        and rule filings,         the Division
              and assures itself        of the adequacy of, the clearing
 agency';i System8 capacity and security,                as well as contingency
 plans the clearing           agency has established       relating       to systems
 failure     or sabotage.
       In addition,     although the Report acknowledges that the
Commission has established         detailed   registration     standards
designed to ensure the soundness of automated clearinghouse
systems, the Report states that clearing             corporations    do not
perform periodic      risk assessments of their ADP systems as
contemplated by the standards.            We strongly agree that clearing
corporations     should perform periodic        risk   assessments of their
automated systems.         It should be noted that, in addition,
although the registration        standards initially       served a8
guidelines    for review of clearing        agency registration
applications,     each of the clearing agencies that was the
subject of the Report must continue to satisfy the requirements



l/     m Securities.Exchange                Act Release No. 16900 (June 17,
       1980), 45 FR 41920.




      Page 19                 GAO/IMTEGSO47       Oversight   of Clearinghouses’   Automation   Is Uneven
      Appendix II
      Comments From the Securities   and
      Exchange Commission




Ralph V. Carlone
Page 3
set forth in the standards. 2/ It is our understanding,
however, based on the considerable         number of rule filings
refining   and enhancing clearing corporation         ADP systems, that
clearing   corporations     do, in fact, monitor and evaluate their
ADP systems on a continuing       basis.    Nevertheless,    we believe
there is merit in GAO's suggestion that a formalized,            scheduled
review of ADP systems as contemplated in the standards be
performed.     Accordingly,    the Division has reminded each of the
subject clearing agencies of their obligation           to review ADP
system8 and related controls as a part of the annual review and
report process.      The Division will review, in conjunction         with
the Commission's clearing agency inspection           program,
implementation    of this objective.
        The report also finds that the Federal Reserve System
 ("Fed") assesses computer systems during the inspection
process, but that the SEC does not.              It should be noted that,
although depositories         are registered     clearing    agencies under
the Securities       Exchange Act of 1934, as members of the Federal
Reserve System, the Fed is the appropriate                regulatory     authority
with primary oversight responsibility.               Again, we believe it is
appropriate      to avoid duplication      of regulatory       effort wherever
possible,      so long as the financial       and operational        integrity     of
the clearing       agency and its participants         is not endangered as a
result.      We agree, however, that formalization             of the ADP risk
assessment at the non-depository           clearing      agencies would be
beneficial      and we will include a review of such assessments as
they relate to computer systems as part of our routine
inspection      procedures.      Given the level of required internal
and independent review already in place, however, we do not
believe that the Commission should expend scarce resources by
hiring    a large number of ADP examiners as replacement for
existing     examination staff qualified         to review compliance with
the Commission's anti-fraud,          sales practice       and financial
responsibility       regulations.
      In connection with the increasingly           important role of
automation in the securities       industry,     the Commission has
created a new Office within the Division of Market Regulation
that will produce guidelines       for, and oversee, automation
review at the SROs. g      Priorities      dictate that the focus of

w     &&2 Securities Exchange Act Release No. 20221 (Sept. 23,
      1983), 48 FR 45167.
v     Prior to the establishment   of this new office the
      Commission published for comment an Automation Review
      Policy (I'ARP") which states that SROs should, on a
      voluntary  basis, establish  comprehensive planning and
                                                     (continued...)




      Page20                 GAO/IMTEG9O-47Oversight
                                                  ofClear@houses'AutomationIsUneven
      Appendix II
      Commenta Prom the SecurltIea   and
      Exchange Commission




Ralph V. Carlone
Page 4
this Office,    at least initially,   be on market execution and
information    systems. Nevertheless,     we expect that the Office
will provide technical     assistance to the Division on an as-
needed basis and will increase our ability       to oversee
effectively    clearing agency systems by providing     the technical
expertise    necessary to identify   systems weaknesses in
connection with the registration,      rule review, and inspection
processes.
       In conclusion,  the Commission appreciates the critical
role that automated clearinghouse         systems play in ensuring that
market participants    receive timely clearance and settlement
services.    We believe that the SEC's oversight of automated
systems in the clearance and settlement area, in combination
with the oversight of the SROs, is adequate to detect and
resolve problems associated with operating automated systems.
Moreover, with the assistance provided by the Office of
Automation and International     Markets,      we are confident that our
oversight   in this area will be strengthened.
      We appreciate this opportunity  to comment on the Report
and request that a copy of this letter be appended to the
Report when it is issued.
                                                Sincerely,



                                                Richard Ketchum
                                                Director




a//(. .-continued)
      assessment programs to determine systema capacity and
      vulnerability.   &!9=9Securities   Exchange Act Release No.
      27445 (November 16, 1989), 54 FR 48703. Although the
      Commission did not extend the ARP to clearinghouse
      automated systems, the Commission stated that in the
      future it may suggest expansion of the Policy to other SRO
      computer-driven  support systems for, among other things,
      clearance and settlement,     if it finds it necessary to
      ensure the maintenance of fair and orderly markets.       m
      54 FR 48703 at note 27.




      Page 21                GAO/IMTEG90-47   Oversight   of Clearinghouses’   Automation   Is Uneven
Appendix III

CommentsFrom the Commodity Futures
7hxtdng Commission


                                          COMMODITY    FUTURES TRADINQ           COMMISSION
                                               2033 K Street. N.W.. Washington. D.C. 20581
                                                              (202)254-6970


                                                          June 1, 1990
                   Wendy L. Qramm
                      Chairmari


                        Mr. Ralph V. Carlone
                        Assistant     Comptroller General
                        Information       and Technology Division
                        General Accounting Office
                        441 G Street, N.W., Room 6915
                        Washington, D.C. 20548
                                  Re: Prrrft  Rewort  Entitled  11-roved             0v eyLhaht
                                                                                            '   Needed fox

                        Dear Mr. Carlone:
                               The Commission appreciates the opportunity       to comment on the
                        draft    report     ("Report") of the General Accounting Office (%AO1*)
                        entitled       "Improved Oversight Needed for Automation Used to Clear
                        and Settle Trades."
                                The Commission fully recognizes the need to review and
                        assess transaction-related       automated systems    and has made the
                        development of effective       regulatory  oversight   of such systems  a
                        Commission priority.       This is reflected     in a number of recent
                        Commission actions.       The ConVnission recently created an inter-
                        agency    task force to assist the Commission in addressing current
                        developments concerning the review and assessment of automated
                        eystems.      The Commission also recently     issued an interpretative
                        rule regarding the retention        of documentation with respect to
                        such automated systems.        55 Fed. Reg. 17932 (April 30, 1990).
                        In addition,     the Commission's Division    of Trading and Markets
                        has begun the background work necessary to commence rulemaking
                        to seek public comments on issues related to a review and assess-
                        ment policy regarding automated systems.
                                As these actions reflect,       the Commission agrees that over-
                        sight standards are appropriate           for clearing    organization       auto-
                        mated systems and, as GAO has acknowledged, has begun a process
                        to formulate such standards.           However, we do not believe          that it
                        is appropriate       from a regulatory     standpoint to insist       on detailed
                        management practices         nor to specify rigid technical        or systems
                        criteria.       Rather, we would incorporate        compliance with overall
                        program standards into our existing            rule enforcement review
                        programs.       The Commission believes that the industry            self-
                        regulatory      organizations     ("SROs"), which include the futures
               Y
                        exchanges and the National Futures Association,               should have
                        some flexibility        to determine the mix of measures for review




                                Page 22              GAO/IMTJ3G9O47    Oversight   of Clearinghouses’   Automation   Is Uneven
           Appends
           CommentsPromtheCommodlty     Futures
           TradingConunh4eion




    Mr. Ralph V. Carlone
    Page 2

    and backup of systems consistent     with the number and types of
    transactions   cleared, the processing design, and the applicable
    timeframes for clearing and settling      transactions. The GAO'8
    comments in this area will be given careful consideration     as we
    continue to enhance existing    procedures and at the same time care-
    fully analyze the cost, benefits and risks associated with the
    regulatory   process.
           With respect to allocating         resources to assess the SROs' use
    of computers in the clearance and settlement process, as the
    Report acknowledges, the CFTC has authorized            its Office of Infor-
    mation Resources Management (nOIRM'O) to perform technical           aeaeee-
    ments of automated systems as part of the Commission's regular
    exchange oversight program and OIRM staff have begun conducting
    such reviews.       We believe,      however, that issues concerning the
    scope of such reviews and the extent of the resources allocated
    to conduct them are ones that must be addressed by the Commission
    in the context of its overall oversight program and applicable
    resource constraints.           Decisions concerning resource allocation
    in this context will necessarily           entail close assessment of the
    relative   priorities      of all programs administered     by the Commie-
    don.
            We further note that seven of the rules referred to in the
    Report at page seven relate to clearing and settlement with
    respect    to the Chicago Mercantile        Exchange (YX4R") Globex System,
    which was approved in February 1989 but is not yet operational.
    At the time the rules were approved, the Globex system was still
    in development.      Over the last year,       Commission staff has reviewed
    Globex eystem documentation,        visited    the central computer site to
    investigate     the physical and logical       security measures undertaken
    to protect the system, observed system testing,                 and held numerous
    discussions     with CME technical     staff concerning the system, in-
    cluding the interface      with the existing        clearing     system. These
    diecueeions have included such matters as security                 featuree,
    capacity planning,     performance characteristics,             and backup and
    recovery procedures.       Additional     oversight     activities     currently
    are underway with regard to the Globex system.

          The Commission is sensitive to the GAO's concerns in thia
    area and we believe  that the Commission's actions referred to
    herein demonstrate the Commission's commitment to enhancing the
    overaight of automated systems. We appreciate the opportunity   to
    provide comments on the draft and we would be happy to discuss
    these comments with your staff.
                                                     Very truly    yours,



Y                                                    Chairman




           Page 23               GAO/IMTEG!4O-47OveraightofClearingt1ouses'AutomationIsUneven
Appendix IV

Major Contributors to This Report


                           Richard J. Hillman, Assistant Director
Information                William D. Hadesty, Technical Assistant Director
Management and             Gary N. Mountjoy, Project Manager
                           Valarie C. Jay, Staff Computer Scientist
Technology Division,
Washington, DC.
                       A
                           Garry Roemer,Deputy Project Manager
New York Regional          Amy S. Hutner, Staff Evaluator
Office

Chicago Regional           David A. Arseneau, Staff Evaluator
Office




              Y




(610354)                   Page 24           GAO/IMTECGO47   Oversight   of Clearinghouses’   Automation   Is Uneven
1J.S. Gneral Accounting       Office
l’ost Office Box 6016
Gaithersburg,  Maryland      208’77

‘I’elephone   202-275-6241

The first five copies of each report    are free. Addit,ional   copies are
$2.00 wwh.

‘l’hwt~ is a 25% discount    on orders for 100 or more copies mailed to a
single address.

Orders must be prepaid by cash or by check or money order made
out to the Supc!rintc?ndent of Documents.
       First-(.:lass Mail
    I~osCagt~ xt Fees hid
               GA<)
I     Permit    No. G 100